Since 1998, I've been writing about technologies and technologists on the cutting edge, who are poised to reshape the status quo in both promising and troubling ways. Lately, I've been looking into the players behind wireless charging and whether they have what it takes to make Nikola Tesla's dream finally come true. Feel free to get in touch at news@eliseackerman.net, or @eliseackerman on Twitter.

Why a small change to Google Chrome could have big implications for Internet users

Writer’s note: Post has been updated based on feedback an official statement from Google. All new additions are in italics.

Earlier this week, a Google employee named William Chan published a post on Google Plus about the way his team was planning to solve some problems that the Chrome browser was having delivering Web addresses.

The issues, and the solution, are highly technical. But they boil down to this: in order to deliver pages faster, Google is going to make it possible for the browser to resolve Web site addresses like www.google.com into IP addresses like 216.239.51.99 that machines on the Internet can read.

Currently, Chrome follows standard industry practices to resolve Web addresses: Chrome sends a request to the underlying operating system which reaches out to another computer on the Internet known as a DNS server. This process gives a computer user control over which DNS server to use.

At this point, even if you have a moderate interest in technology, you will probably be wondering why this is news.

The changes to Chrome matter a lot because they mean Google will be in a position to steer all the traffic from Chrome browsers to Google’s own DNS servers. This could provide Google with vast insight into what is happening on the Web, including on competitors’ sites like Facebook.

Google’s response: while this is technically true, they would never do this. (Remember the whole “don’t be evil” motto.) One thing I was told, but wasn’t able to confirm officially, is that doing this could potentially cause problems for Chrome users in corporate environments.

Updated 6:02 p.m. 3/16/2012: Google spokeswoman Lily Lin sent an email that clarifies that Google is not going to do this. For the techies out there she said: the DNS stub resolver that Google is building “will use the OS-configured DNS servers by default. These are the same DNS servers that the existing mechanism (calling the operating system’s getaddrinfo() function) uses.”

Lin also confirmed that overriding a user’s settings would break a user’s VPN. “We have not at all considered switching to Google Public DNS by default as it would break for many users. For instance, many users browse the web from within a corporate intranet, whose hostnames Google Public DNS does not recognize. Therefore, if we ever switched to Google Public DNS, hostnames would fail to resolve.”

For the non-techies out there this means that the code changes won’t put your privacy at risk. For investors, it means the new code won’t be giving Google a competitive advantage. And for readers keeping score, it means I pressed the publish button too early. I apologize for being confused and for confusing you!

Depending on your perspective, this gives Google a great competitive advantage, or raises questions about the applicability of the Sherman Antitrust Act.

There’s also a user privacy issue. Now, I use Google Public DNS and I’m not worried about Google secretly spying on my Internet traffic. But there is very little to stop Google should it decide there is a compelling need to closely inspect unencrypted packets hitting its DNS servers.

Author’s Note: At this point it’s worth clarifying a misunderstanding I had when I wrote this post that was identified by one of the readers. The way the Internet works, not all content in a communication packet is sent to a DNS server. If you are interested, I’ll be explaining this in a later post, thanks to Paul Mockapetris, the founder of the domain name system, who has agreed to do an in-depth interview with Qubits.

The issue was pointed out to me by David Ulevitch, whom I interviewed last month for my post “A Closer Look at Google Public DNS.” Unlike most people on the planet, Ulevitch has skin in this game. He runs a service called OpenDNS, which competes with Google Public DNS. The implications for David are that Chrome will now be able to override his users’ choices. Instead of allowing the operating system to resolve an address via OpenDNS, Chrome would, at least in theory, ensure the address is resolved by Google Public DNS.

“It’s a dangerous combination when you control the browser, search and DNS,” Ulevitch said. “It’s like Microsoft back in the day when it controlled the browser and the desktop operating system and dominated the market for office apps.”

Few people realize how much information a DNS server sees can be seen by organizations that are part of the domain name system.

Post Your Comment

Post Your Reply

Forbes writers have the ability to call out member comments they find particularly interesting. Called-out comments are highlighted across the Forbes network. You'll be notified if your comment is called out.

Comments

Tom, I’m happy to learn more about DNS. I’ve got tons of questions based on reading William Chan’s post. If you want to talk offline, I’d be grateful for the help. (qubits@eliseackerman.net is my email.)

But the fact is that Google is writing code that will make it easy for the company to direct all DNS queries to it’s DNS servers. “We would never do that,” doesn’t provide much reassurance, and that’s basically all they said on the record and even that wasn’t in a written statement.

Chan’s post, as you point out, was incredibly technical. You need the equivalent of a degree in software engineering to understand it. Unfortunately, the folks who do understand it, don’t seem to be willing to discuss it’s implications. That’s troubling, since you guys are the experts.

If Google wanted to slow a competitor’s web pages they could just slow them at the browser level. Or they could just devalue their search rank. Or any number of other things. I haven’t seen anything close to malicious activity here. Besides that, I would trust Google with my search data far more than my direct ISP, which already sees everything, has no value for transparency, and potentially does all the dangerous things you mention here. Additionally, Google is one of the biggest proponents for net neutrality http://en.wikipedia.org/wiki/Network_neutrality as opposed to most ISPs which would promote premium content over regular traffic. http://www.tuaw.com/2012/02/27/atandt-aims-to-have-developers-pay-for-app-bandwidth-usage/

Posting this so its not hidden, didn’t mean to hide it 4 deep in the reply thread, sorry :)

Elise, While I believe you really did try to do your best on this article I think that it is either way over your head or your are being send mis-information by someone.

I will try to first outline some of the mis-information in this article and why it is incorrect

1) “The changes to Chrome matter a lot because they mean Google will be in a position to steer all the traffic from Chrome browsers to Google’s own DNS servers.” — This is incorrect, the would only be sending DNS requests that are not already cached to Google’s servers. This would have nothing to do with what webpage your visiting, or how many times it is visited. It is just the domain, not the full URL.

2) “This could provide Google with vast insight into what is happening on the Web, including on competitors’ sites like Facebook.” — Incorrect, it would tell Google IP “x” asked for the IP address of facebook.com at Time “Y”. The browser would then cache this (in facebook.com’s case) for 3600seconds. If you request facebook.com during that time period, it would not send the DNS request again. Once again it would only ask for facebook.com not for facebook.com/my/profile/1234 so they could not see where you were going.

3) “But there is very little to stop Google should it decide there is a compelling need to closely inspect unencrypted packets hitting its DNS servers.” — What would they be inspecting? Your actual request to the page which would have any information would not pass through them. They are not setting up a proxy server and using that. This is only DNS, not web traffic. I believe you are getting the 2 mixed up.

4) “It’s a dangerous combination when you control the browser, search and DNS,” Ulevitch said. “It’s like Microsoft back in the day when it controlled the browser and the desktop operating system and dominated the market for office apps.” — This is very different in my opinion. Here Google is not giving you a computer with Chrome on it, nor is it forcing you to use Google search. Not to mention per Chan’s + page all he is saying is that it is a current consideration to do this. Also he doesn’t say it would be forced to be used or an option.

5) “A machine attached to a DNS server doing deep packet inspection is the equivalent of a person sitting at the central post office…”. This is 100% false. The request to the DNS server would be like someone intercepting a call to 411 and asking the number for “John’s Pizzeria”. Once again it DOES NOT transfer the request to the webserver through Google’s servers. This is just a DNS server NOT a Proxy server.

6) “Other information, such as what domains are requested and the type of request, for example text or email, as well as the transport protocol, are kept permanently.” — You say this comes from a response from Google, I have a feeling this is your interpretation from the response from Google. A DNS server would never be sent why the record lookup is happening, what its for, or the protocol used, nor is there any way to send it with the DNS specifications.

While I believe you were writing a good article to educate your users, I feel you just don’t have a firm enough grasp on the technology and all you ended up doing was feeding mis-information.

If you have any questions about what I have said / my qualifications you are more than welcome to contact me and I will explain the differences to your in further detail.

Hi there, I would like to talk more, and I’m happy to do it 1:1, write up what I’ve learned, and then schedule a hangout to make sure the post clarifying the technical misunderstandings doesn’t perpetuate more.

We live in an increasingly technical society that’s dominated by giant corporations—who are staffed by friends and neighbors. I think it’s important to make “expert” knowledge available to ordinary people. If you folks would be willing to help me do that, I’d be extremely grateful.

No they can’t do it. If they did this, intranet users will not be able to access internal websites, which can only be resolved with internal DNS servers. And it will break the principle of the internet. Google is not that stupid :-)